Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Arrowpoint cookies and ssl without SSL Module

I have a 1503 CS. I would like to know If I can use Advanced-Balance Arrow-point cookies in our environment. We have the ssl being done on the server. Will the following work:

content t2p443

vip address xxx.xxx.xxx.xxx

protocol tcp

port 443

add service PR90APP8-443

add service PR92APP7-443

flow-timeout-multiplier 115

sticky-inact-timeout 15

sticky-mask 255.255.240.0

application ssl

advanced-balance arrowpoint-cookie

active

Thanks

3 REPLIES
Community Member

Re: Arrowpoint cookies and ssl without SSL Module

Unfortunately not. The traffic would be encrypted to the CSS. ARPT cookies can only be inserted in clear text.

You would need to implement cookies on the server or use an ssl module offloader installed in the chassis (or external). The offloader would decrypt the ssl request and hit another content rule in clear text. That rule could use arrowpoint-cookies as a sticky method.

David

Community Member

Re: Arrowpoint cookies and ssl without SSL Module

Thanks Dave. I have another question. When I want to take a server out of rotation for maint I assign a weight of zero to the content. The only problem is that I am balancing using sticky source ip and I cant really tell the number of remaing connections using sh service summary. The connections vary from 0 to a few. I think I am having the limitation of mega proxy using sticky source ip. Is there any way I can really tell if everybody is off the server and I can safely suspend the service.

Thanks in advance for your help.

Community Member

Re: Arrowpoint cookies and ssl without SSL Module

The current connections listed under show service summary should be correct. If you are at zero, then all connections are gone.

Since you're using flow-timeout-mult, flows may stay around if not gracefully closed. Once you're at zero, suspend the service. If you don't, new connections can still be sent to the "zero weight" service, if the client is in the sticky table.

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cntlbgd/services.htm#wp1050713

If a proxy is always sending connections and you're using sticky-ip, the entry will never age out (which maybe what you're seeing). Use sticky-inact to more agressively age out entries. Be careful w/ this command. If your sticky table becomes full, new connections will be rejected until the old entries age out.

David

196
Views
0
Helpful
3
Replies
CreatePlease to create content